Working with the Winbind Daemon

The Winbind daemon, winbindd, enables the Linux name switch service (nsswitch) to retrieve user and group information from a Windows primary domain controller (PDC). This provides a networked authentication mechanism similar to the Network Information System (NIS and NIS+) often used in computing environments that make heavy use of Sun's Network File System (NFS). The Winbind daemon enables Windows users to log in on a Linux machine using the Windows credentials provided by the PDC without requiring any local user and group entries in the Linux password file.

To use winbindd, do the following:

1. Add Winbind entries to the /etc/nsswitch.conf file that tells your Linux system the services that it can use for authentication and the order in which those services should be queried for valid authentication information. These entries should look like the following:

passwd: files winbind group: files winbind

2. Modify the auth (authentication) entries in all of the Pluggable Authentication Module (PAM) configuration files in the directory / etc/pam.d to contain authentication entries such as the following:

auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok

3. Modify the account entries in all of the PAM configuration files in /etc/pam.d to contain an account entry such as the following:

account required /lib/security/pam_winbind.so

4. Join the existing Windows domain by executing Samba's net command, as in the following example, where PDC is the name or IP address of your Windows primary domain controller and USER is any user with administrative privileges in that domain:

5. Add appropriate winbind entries to the [global] section of your Samba server's configuration file, /etc/samba/smb.conf. The entries that you should add are the following, where MYDOMAIN is the name of the Windows domain for which the PDC you specified in the previous step provides authentication information:

winbind separator = + winbind cache time = 10 template shell = /bin/bash template homedir = /home/%D/%U idmap uid = 10000-20000 idmap gid = 10000-20000 workgroup = MYDOMAIN security = domain password server = *

6. Start the Winbind daemon (rcwinbind start) on your SUSE system, and restart the Samba daemon and NetBIOS name daemon by executing the following commands:

rcnmbd restart rcsmbd restart

Any user with an entry in your Windows PDC should now be able to log in on your SUSE system using a username of the form DOMAIN+username and his or her Windows password.

If you are using Winbind, you should ensure that the daemon is set to run in its default runlevels by using the YaST runlevel editor, or (as root) by typing the following command:

# chkconfig winbind on

If you have problems configuring or using the Winbind daemon, you can use the wbinfo command to query the PDC through the winbind daemon. The information that it returns can help you diagnose Winbind problems by seeing how the winbind daemon translates various Windows authentication information. For complete information about the wbinfo command, type man wbinfo.

Was this article helpful?

0 0

Post a comment